gandcrab | 77da860cd56ac35ea77e4768745a0c36a3662ad08fca31aa6a5ab1cec5c3d4e0

Resubmissions

05-06-2024 15:48

240605-s8zxpsbb5y 1

Analysis

max time kernel
672s
max time network
680s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

873d16767e0895ff109b2a2ae61335f5_JaffaCakes118.html
Size

175KB
MD5

873d16767e0895ff109b2a2ae61335f5
SHA1

15ce4fd25f2709f3a3379a41e51337ddfa6c773c
SHA256

77da860cd56ac35ea77e4768745a0c36a3662ad08fca31aa6a5ab1cec5c3d4e0
SHA512

280efb73feb2b569444212a708be2e1d9432752ececc7302f4841235c6d76f3d50f2732f12d867b289f9c881a282abf5709918435344d91948ee7570a2d436f5
SSDEEP

1536:SqtY8hd8Wu8pI8Cd8hd8dQg0H//3oS34GNkFjYfBCJisl+aeTH+WK/Lf1/hmnVSV:SBoT34/F6BCJiZm

Score

10^/10

gandcrab troldesh aspackv2 backdoor evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\SVWJHE-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .SVWJHE The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/ad31e0c52ed0d64 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAABytGcD1q2u9rWwfs/FI2F2zTxekly6G1QpiwjHF9hpRyBl+N6mZfyDFQu8o1zfpo4Yylz6lpaE5e5J/JNG5gHRsIo+Rojjcq4FyKWAj70Q0UCmcAifWz/6mzEWtBFsfKG2lsFsr3aBpSXuTKXusOjjDMFsxXbnNxHb+G4VZ+Yp93fEzDL5teE/XRgIzNXAmFSPp8Lu0DHOWugb9oI20pBXGbfp3iInCgSUc711nNyA6CpKYkQvXrxe8Sbg2t6Adcr0iWnWBj1tU5Bi7sTrlHNj/C27dmFepvcevxQ9nfMLMBVTs2c9fRWaVpOif5hVM6h3uEkT/4G11GjNlzlB6+tQXV3oYu61zhjSExG6cYi9cUGjJaiY5tGAvnSCcEycs6ADzi+aRAyTfyZzvg2m1N3zjTh1fZLu1v4xpu1SrjyL8EeO2YWahQOI/N1KsDj5QMRbFGXej4eCWNmyu75y1krWCtLinhsGt6ZuemAtyq+xLOa91CxJbsiVrulyYQ2yCGMr9plW6pomS3zYZCe1T2ai64Z5AdliXeyY/K26SMRh3GULdqIyqyd/T64Mf6Hi59H0iQKizvc21K5F838jG9wEylWuL2OsxfFR4L4qGrTh4LAOURwafmf1LcSVczdBjjn/V9ZefZZT8NqvovaM48Ur+RwdvfAxnvDd51bWyfoW0hyE7YegudgddIW4R06P4/zCjGSAEjaY7VD6NL4z4Oa7HHUd/V/jHYfifcmvB/QDsvQKoXb5kZCHW21BuugSbrxwEj4RDZlIsJw1wn8YipdSCF06zKt1eAzHYFUMMmiFF6D5/ytzW770kyjIc29S75R7fEVw3WP3q6kU+Kvfcfy0eCbiO+3DywCdm1ELbA4Nw1QMZZdoQbszbe7oODpcJWakDBcYVJPDmAANp2CcmzSoHQQWSa7Dkr/8a9/ugEt6MNfBoTnNThUfOGZcRFra9blMO1fCKbezX5ELjnnkzM+wLWAHHz0IB2rSACRkIBzzQc378BNBLhXgKOfPVn0qxgbcG+M20VdJNE3E7KxMt1kfrZ6928LjXC5GjgheRaNGtVnrju3isuv5HkW4nllUTYvPa/JNiZIBjupD6whzu6lma+umnOZpDk78vhEwiDGGJHy5VEeo88rAKvFg3UeFBqMIUfmgCBz6gykctvqVbdl9C/oxvzxwk8x83MRNSlW6DJC1rUgtTCmGUgNSBe63VxeaP+ljaME3Oa+UOiVRdeT1auwg4yVfXJGjyaqcc+JdAq/IePiZOfkMdLo8wwf7NIr5vAvL9aE2KmwVFEUP95UPXPhKybcLZva7qVIyy/+L54uvBXWNilJDdMXC2DU2cOgNdhYk6C8bEbDkImE5bQStL594N9qiWvtfblaSTFzlIYC7ELekQELq0UryPUWYEw7FsiFoMlFLhDdmCeZuSsVW1I0QE7qh4W2WB0xqkr8HI71zusu04iLJ9c/qP8nCYyYNly1M24ytRLGRoTTyBJu88pBcZyHk7mRc3CrsCR/q5WOVG0hMxx3PyHDiYO7F+VJT/1sYrCuUQnZ10v8OShAlwASb69JQe1tUO+9mgZFo/GcdOCLwTq0kg/ek4bcJQuxdQma4p9ho/QZkboPuCeZ3TpH6cTdVaRYwHVPyi7mSBhlG6eVwl0J/I8yMKqdx4pvaggbU4drXg3bSRBau4majgtxFFnxB24EXsoSXa90yffv6v91i2yaPqRCFKa7ivObZ9NQNAKTkW1UjXx+a3YbbVX5p1hj9fgaF/W3ht439vr8X317l7Ho8HOfMP+lmiA2JKHEx3kEzzxYFlKnlmD0iqEHYoRJzHXUMP9G6YPO5vDq4SEtN5vE56HhhbbTmdoj3ewjO5mQGUqr9oMiD1D86U18+b5JLMcP9dzGF01DKKjU+RaitjpmbkV/8gvecZa4BH506zTOuaSoBR6EgMPLPfYkr7xNqlO86m6YulwveI3lZkR9YFuZ8DRFdxyo2rPC70S89cX1zEG3or5CULTWtcfViErvy5s4BI9ztflVOJ6cP87Eb8/TTQfvZOpmBzrAhdgPmeQD6XUfj4DKishOIXJgZhbsm3datsMh+VLMpQ8iiBWwZQdwL5P5SpMVxgBethZIqPN0OnNMPWxUSPJG3A7XyegUCmDxTZ1qlxKkehVjSxsllcx0iLOufGznH0nlpyZWIeAof1Ldg2aYyuk8pVaUoeuKIdi5nzl6yMU1sISCqhiTQi19jCJDj+AMcSl977w3E= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDx9N7JNpDTAv2VsODJRW7IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJLNBZBidqr8ZrR+C3YrHJmdaR2UfUP9nyqPNjLLDjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAooTbFrZ2EPDix5ShBudHoMloO6iOVzOm2qBpvYLwDrt0yoC8B1fqlXjmS7q94A+w+gSWwQUzSb+QfwNw4LR2j3Li9wF7i8TPbKPugg42XWKf+7AkXvCaiiYFEEv9EtCM4ANvhx9QWIEz1UEGNybGMOp0F1gg/+uQVe3kEm3TdCrDrBNcRPB6VJMopLqYb8gmQcDmVvbCVEY+sVLSKnN6aP0Iub5o0+FHLc3/SgKIMDArFyYH6qAJw1UaCxMHGs3USmw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/ad31e0c52ed0d64

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Renames multiple (255) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

C:\Users\Admin\Downloads\Unconfirmed 775343.crdownload aspack_v212_v242

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 775343.crdownload	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GandCrab.exeGandCrab.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GandCrab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GandCrab.exe

Drops startup file 3 IoCs

Processes:

explorer.exeGandCrab.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b227d6b7.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\SVWJHE-MANUAL.txt	GandCrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\52ed0a8952ed0d644d.lock	GandCrab.exe

Executes dropped EXE 10 IoCs

Processes:

CryptoWall.exeGandCrab.exeGandCrab.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exeHydra.exeLauncher.exeTrololo.exeMelting.exe

pid process

5684 CryptoWall.exe
540 GandCrab.exe
4356 GandCrab.exe
5436 NoMoreRansom.exe
3380 NoMoreRansom.exe
1984 NoMoreRansom.exe
4068 Hydra.exe
1508 Launcher.exe
1820 Trololo.exe
5996 Melting.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5684	CryptoWall.exe
540	GandCrab.exe
4356	GandCrab.exe
5436	NoMoreRansom.exe
3380	NoMoreRansom.exe
1984	NoMoreRansom.exe
4068	Hydra.exe
1508	Launcher.exe
1820	Trololo.exe
5996	Melting.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5436-1433-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1434-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1435-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1437-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3380-1441-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3380-1442-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3380-1452-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1464-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1465-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1984-1468-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1984-1469-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1472-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1505-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1524-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1542-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1587-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1606-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1625-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1662-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1678-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1717-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1737-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1739-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1749-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1771-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1809-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1860-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1906-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1917-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1928-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1930-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1932-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1934-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1936-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1938-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1940-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5436-1942-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NoMoreRansom.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b227d6b = "C:\\b227d6b7\\b227d6b7.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*227d6b = "C:\\b227d6b7\\b227d6b7.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b227d6b7 = "C:\\Users\\Admin\\AppData\\Roaming\\b227d6b7.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*227d6b7 = "C:\\Users\\Admin\\AppData\\Roaming\\b227d6b7.exe"	explorer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GandCrab.exeGandCrab.exe

description	ioc	process
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

185 raw.githubusercontent.com
186 raw.githubusercontent.com
232 camo.githubusercontent.com
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

189 ip-addr.es
224 ip-addr.es
244 ip-addr.es
257 ip-addr.es
265 ip-addr.es
273 ip-addr.es
187 ip-addr.es

flow	ioc
185	raw.githubusercontent.com
186	raw.githubusercontent.com
232	camo.githubusercontent.com

flow	ioc
189	ip-addr.es
224	ip-addr.es
244	ip-addr.es
257	ip-addr.es
265	ip-addr.es
273	ip-addr.es
187	ip-addr.es

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

GandCrab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp"	GandCrab.exe

Drops file in Program Files directory 24 IoCs

Processes:

GandCrab.exe

description	ioc	process
File opened for modification	C:\Program Files\CheckpointCompare.rle	GandCrab.exe
File opened for modification	C:\Program Files\FindEdit.aif	GandCrab.exe
File opened for modification	C:\Program Files\WaitResize.mhtml	GandCrab.exe
File opened for modification	C:\Program Files\ApproveStop.zip	GandCrab.exe
File opened for modification	C:\Program Files\ConfirmCopy.hta	GandCrab.exe
File opened for modification	C:\Program Files\ExitRestart.tmp	GandCrab.exe
File opened for modification	C:\Program Files\MoveEnter.WTV	GandCrab.exe
File opened for modification	C:\Program Files\RestoreMeasure.cr2	GandCrab.exe
File opened for modification	C:\Program Files\StopCheckpoint.xsl	GandCrab.exe
File opened for modification	C:\Program Files\SubmitMount.fon	GandCrab.exe
File created	C:\Program Files (x86)\SVWJHE-MANUAL.txt	GandCrab.exe
File opened for modification	C:\Program Files\CompressPublish.asx	GandCrab.exe
File opened for modification	C:\Program Files\InstallFormat.wmv	GandCrab.exe
File opened for modification	C:\Program Files\InvokeRemove.TS	GandCrab.exe
File opened for modification	C:\Program Files\CopySet.aiff	GandCrab.exe
File opened for modification	C:\Program Files\GetUnpublish.mpeg	GandCrab.exe
File opened for modification	C:\Program Files\HideComplete.xps	GandCrab.exe
File opened for modification	C:\Program Files\RenameTest.m1v	GandCrab.exe
File opened for modification	C:\Program Files\SetMerge.tiff	GandCrab.exe
File created	C:\Program Files\SVWJHE-MANUAL.txt	GandCrab.exe
File created	C:\Program Files\52ed0a8952ed0d644d.lock	GandCrab.exe
File opened for modification	C:\Program Files\AssertExport.kix	GandCrab.exe
File opened for modification	C:\Program Files\SubmitStep.gif	GandCrab.exe
File created	C:\Program Files (x86)\52ed0a8952ed0d644d.lock	GandCrab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GandCrab.exeGandCrab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5684 timeout.exe

pid	process
5684	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2260 taskkill.exe
4880 taskkill.exe

pid	process
2260	taskkill.exe
4880	taskkill.exe

Modifies registry class 3 IoCs

Processes:

OpenWith.exemsedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{09430EB0-5AAD-4AE1-B8CD-622E7448402E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 7 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 274581.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 460124.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 990509.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 705560.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 775343.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 524094.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 521248.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeGandCrab.exeGandCrab.exemsedge.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
2104	msedge.exe
2104	msedge.exe
1476	msedge.exe
1476	msedge.exe
4440	identity_helper.exe
4440	identity_helper.exe
4300	msedge.exe
4300	msedge.exe
5608	msedge.exe
5608	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
5624	msedge.exe
5624	msedge.exe
540	GandCrab.exe
540	GandCrab.exe
540	GandCrab.exe
540	GandCrab.exe
4356	GandCrab.exe
4356	GandCrab.exe
220	msedge.exe
220	msedge.exe
5436	NoMoreRansom.exe
5436	NoMoreRansom.exe
5436	NoMoreRansom.exe
5436	NoMoreRansom.exe
3380	NoMoreRansom.exe
3380	NoMoreRansom.exe
3380	NoMoreRansom.exe
3380	NoMoreRansom.exe
1984	NoMoreRansom.exe
1984	NoMoreRansom.exe
1984	NoMoreRansom.exe
1984	NoMoreRansom.exe
1100	msedge.exe
1100	msedge.exe
5660	msedge.exe
5660	msedge.exe
5028	msedge.exe
5028	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

5684 CryptoWall.exe
4776 explorer.exe

pid	process
5684	CryptoWall.exe
4776	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

Processes:

msedge.exe

pid	process
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exeAUDIODG.EXE

description pid process

Token: SeDebugPrivilege 4880 taskkill.exe
Token: SeDebugPrivilege 2260 taskkill.exe
Token: 33 5340 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5340 AUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4880	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: 33	5340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5340	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

4468 OpenWith.exe
3924 OpenWith.exe

pid	process
4468	OpenWith.exe
3924	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1476 wrote to memory of 4256	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4256	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2824	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2104	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2104	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4936	1476	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\873d16767e0895ff109b2a2ae61335f5_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe40aa46f8,0x7ffe40aa4708,0x7ffe40aa4718
2⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
2⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
2⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
2⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
2⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
2⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
2⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
2⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
2⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
2⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
2⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5416 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
2⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
2⤵
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
2⤵
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
2⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3380 /prefetch:8
2⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
2⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6644 /prefetch:8
2⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5608

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:5684

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
PID:4776

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
4⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
2⤵
PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3388 /prefetch:8
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5588 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5624

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
3⤵
PID:5984

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\Downloads\GandCrab.exe" /f /q
3⤵
PID:5088

C:\Windows\SysWOW64\timeout.exe
timeout -c 5
4⤵
- Delays execution with timeout.exe
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6800 /prefetch:8
2⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5436

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Users\Admin\Downloads\Hydra.exe
"C:\Users\Admin\Downloads\Hydra.exe"
2⤵
- Executes dropped EXE
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
2⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:8
2⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5660

C:\Users\Admin\Downloads\Launcher.exe
"C:\Users\Admin\Downloads\Launcher.exe"
2⤵
- Executes dropped EXE
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
2⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3524 /prefetch:8
2⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Users\Admin\Downloads\Trololo.exe
"C:\Users\Admin\Downloads\Trololo.exe"
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\SYSTEM32\taskkill.exe
taskkill.exe /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SYSTEM32\taskkill.exe
taskkill.exe /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
2⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3992 /prefetch:8
2⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8629280413980340252,10208271955476833560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:620

C:\Users\Admin\Downloads\Melting.exe
"C:\Users\Admin\Downloads\Melting.exe"
2⤵
- Executes dropped EXE
PID:5996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x338
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5340

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0c27be0d-9a0b-4a43-95c1-6ff2fb5df43a.tmp
Filesize
8KB

MD5
8bf0c8df724e029cc4d50e62aeb5ebbf

SHA1
b37ed6f51e695d469ff2f618bcfcbc83a7491c29

SHA256
d25f3c4745ec53f081e167f9927eab7d732739af1f4b60bf6fef3010858406b0

SHA512
cfb359071781ba3e5cbc525f020e4fb2f2197842bf7e4e69bb219de945e61399a54e928608c0c8e108653c6632c66576a15f99ad2183a54dc10425c6996e5a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\19c87e94-fb3b-4733-983a-5a2c06b18390.tmp
Filesize
1KB

MD5
0b720b34c9317e6747e53efc1b975ce5

SHA1
9803cad893a23afe476bca67fd5bcd49b882e75c

SHA256
d76e631926b3083fb0dd9fb59b82d0d5bd6bcc4ac9a2e40280c5d15bfd079ace

SHA512
b885908a130f29acfd8f40daf7882e102403aafe3c5e1e58170db70194245f40560b41f525669b883b70695ea88890d1ceefe78cd2385d535e13d7c6e2433b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
5KB

MD5
26487707be9934e9a9a6e5a6514e9f00

SHA1
884d931f1b573c48ddba5a80b6500d6aeabf3564

SHA256
58589ea744870253be373c3dc329d64a60a2a1de8729322775e6480b4e2ddfcf

SHA512
078e046559789d65431268808ffb725d068d4ffef193f74572692aa13d97a76594c9fda83ed2d80cc296827f9ffd565fda2815bd4fe77a71f29b0ba5ecd06366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
635fbc618c4188998ccd5c47b1185e2d

SHA1
854eb57c2d73ab70ec78510b1505397826743231

SHA256
b0607b978bdf303deb4010affae8f56698d726fba1c97ba9a736c179a4029682

SHA512
4ba56e8ad24809cc1cbe8ce1aa1b782d472f962e0804746c015ad63831693aebec5fd3ea5e7d8528708533067b8bb6aafb211fd1ddbac497eec750d38ebbc9b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
dc3e49c9d1c4efbd64e2d72dbb9d60c3

SHA1
773b20edb3af04bf54ba9780b2c06a16bce3eae7

SHA256
d6cd3e78325d3603c8d1e16cd83243c87f8cd0f1fd74147f5d8190a04a80ea59

SHA512
c95c12c5383f905efdef773ef8e702abf398fefbd271864adb68f2dd6c564777b96f2cee3059a2d4e3ac5152ed2ada3384dd992d27e7619f2e3d32da52a3bbd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
1ee5f49aef72976038eb5cbae0d91805

SHA1
f31694d19ad09a4314d1ec7b3e641f690dd497bf

SHA256
e4002e4f61b2e8709be63d4684fa5bce7ac77b6e8d32a155c200a2901d5b8727

SHA512
6213a65ca852f163f5a15682a6159f43130c93441bf10e1676b1aafc477914e7d3e1d1cbe3456408eda42c23a06c04620936b3d8f44056993485f0b03ae5a1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
15f6eb3f155a11e234b8d5bdc4e79582

SHA1
6ddc9cf97da4b07806e530dcda019185e6ff8b97

SHA256
e9fc7c6016c9aae5381cf53a28194dbe21a1efe717e03ff405dbbd56c51bf58f

SHA512
49644ed694d2f0e0174fb452f915858b68ab67d634ad0b92a9f9012f92bcd81c60b1d20548276197c25e1c370bc083d17cd60df36464acd562c195f87df45987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
050ebd2c2701897a8f696a6e50af2953

SHA1
0a7c58f00e96d43697474636b2c5e8f841148f1e

SHA256
f64e3fb73f99478dbeb0075b205fc057f2208ab9cc8f26cf326c8e5e291123b0

SHA512
660737f6bd953bd3fab9abf552201c76f88166493403de3fea4a5c414b65f4f1d068093f90d7a235eda4c5fb5ab86a28b5179b17ba494b94eadfcb679bc077b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b277f83381d780fcd67fcdd2ccedfe8c

SHA1
1088be0df24d8f680ab2bf6e859e0e269302e5f9

SHA256
81ce7b39802aaa339563022df46a465849d4a5ec9a35c5eaca361f15ad06dae6

SHA512
54aaf81aa7be39ae092f08508454f95f033be8f1afa07927ebb51684742d2dfdf505f5cb33abc28eb4b6df9cf57845faaaeea339b02af6940f2662b64642b247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e62fb17286d1e1e91610a517bcf62510

SHA1
15a19de3939e2b57f6a694aaf1299e17fbb11ecc

SHA256
10a9892429362c800a4f603a80fc09105edf5a6935dd6df2af0bd529388e25ea

SHA512
45f2989458500d489fe5cc1262a813f3e50730678afb763acd8b2f2dcdc8bfb415ebd8bbb23404d717c8c25bd045952aa4c91c5341f423e5cedf017adbdfa77f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
2a2e8bec673f8b1ad81fbfdfe91a8062

SHA1
dcbaa4fcf948d85f105f9ae955ad642eacc3279a

SHA256
3d6ef5f91c1e6d3c8bad59c1545040ac69c955342aeea7cfd85d49c158020afd

SHA512
22ca1a2038d0f45c902e1fcdb9fdbb348e414aa6cd26804dde15f479afa517d582977ac67a5ada26c26602e88f9b5dda8f5b25197dd79ddea5002aae37ba29c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
46508092d4476083a3dec6608e47c4b3

SHA1
0d1571e3998fec5669ba091229441ef5d3e9bf56

SHA256
9726cbd01935d01224bf3d0567027f362c2c9c57b3ad767078b2ec4f0d8fa827

SHA512
a26301da46c582ceeecd040a5372fd70f2f82722e277f0deaa3786a520c3631d2112dfbbbcb19d998b0c4cfad9fbb0dec3984e9823e5aaedf3b8f6e308b26e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
3f150deb362b8c46a51af7c927373b01

SHA1
53a3697fc72df9203c0f6f746582cdd416fea493

SHA256
d02ea4ff076a45f056416ff98272e10d84889e35a2e4cbf2dbb16a90fb8b42c2

SHA512
6905d5bee64da1f0f0403dccd6269a78677be05a2e29c133ce6e2f7695e593bc078f7bf9ca9ecd5a9fe268bd09633e8d7240fd20d40ab23652cfb18c2ea993fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
1b639363e4e8c9809627f4adb8f9e423

SHA1
5503d6e30229625836288f4364ac30b2f955d85c

SHA256
fdc0ac86d7297705d39421404c628b31efc4fe0f3e3e09e1b276aa7a831df4f2

SHA512
4613675b6b3664b91c2f2a9e08bca8633e0d4c438d1688ddb6d92655e492600f10992dda765e1870a08a3bfad93058f28a1c5e5cb820f4b35c5b9da325b41880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d06715e552b48fce158b7db99e865cda

SHA1
81d603adf67b532b39980d40537c796d626bca8b

SHA256
ad8d3292ae3b3c4fed0adc6d209f3b010ee2fdaa8acc159dbad8cce9081e39a9

SHA512
a32798e74e23dd153d2ce47e35a0aa7e3f7bdb8f3e2beaf0dfa338ea004ce614b5a1f30b183d0fb5b685f13184322b95b344d8b5d8ef21058c42322db564968d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
938b9d3ec50e205e17f0e74b5794bcfb

SHA1
b8278eb7572cb53924215eb9270b0965f82a66dd

SHA256
28ea323cc2af5a385e1943a5fda8b1a7d2638e35b3054af6abc5a2fc6f2f2fe6

SHA512
63e05c0769c1db25c19d404d8f429e447ce4ebc58ff27eec90f5fcd2d001b104b93b0f0e65c6c2b47dd921e27aafc3cf0c1317808be19aff054bbec4c447bf85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
09ddbd6139aa1dd5d19f5132f3cc2bcc

SHA1
9aa2bf569013acde91d140aec9491f83124fe6f6

SHA256
2382e6c39e4028596db68f1eabff95fca9b8d7fae26432fde06b8304b921a42c

SHA512
7faf21c26f38c37bbcdccec3441d7112f348a343e55291767ed2ebc53f81b8e1da0cfb644856ed27b2f2c2257d6647b1d62dbbf62820e59cbd996597ecf8ff9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3ffac260a80921fc8640a32c1bb21350

SHA1
f3bac50b2d57b4bf618ba38a00eb608e86dc6347

SHA256
2afc9120c73534b1524ecf7ae697b3c3a283c617213647020601f3ae0a850900

SHA512
a3dcb7244dbec2ebbc8e151713a5da6a76b6ae2666e2179484fc7b75a54ea9ae4a17c83d0909c160274e103ef60ef1af6e6a208b7e1609599bd3d198daffa62d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c7eb1e2fd40798a6738874c850987054

SHA1
d62179e41c1f6e85a54d630dba600512aa6cafd0

SHA256
77cbd5df65aae869f4781aa101e32419a3a9ac0789a779c74dc21934a634858d

SHA512
d4111a2413cfa125c93dc4415ae41eaf9941c668bd55f687289d296bb2ff58309fc1bcafcef513f68e0c7492f2e384d3eb7570250d1acf4f8ec609be48d8440a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d765cd6571bb914c9ab28fd7bfbaea1d

SHA1
d4260f7f6c4a5e9ab834e62b309ac8739d898170

SHA256
4345830b6b832e578752ae31bbf5c7738befbad5e86dc450a84ded94357bf2ca

SHA512
049c02323ae8d9d0d1a85b09efa92cc63314a85c7900cb9cb37b001830ff073357ddb5988bf09aae26afb9007d0b005947faf4bf8d44053e1f0b019366645155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e69843a1c0428e38503e3ebdf3d49999

SHA1
e16c2ce94cb90d8b8803da2d59275209f6bf1526

SHA256
9b3b3331b8070000c4565aeab28a5c5cab179513799b5f9a1ff52223c4fe8780

SHA512
49948d83e4b9a40a87e79eb64fb4718ae52347237d0e8e8ea6d8426da1ce962aea0333f57eb47dc88a7e4d0b54f6626ce62d0dfc58e9f7d6e741fcfcfc0cd18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3d444c7cdd6893f5c7730b79c8cae93b

SHA1
0740faf29bfdc444cb73503f98db2cbc47842dc6

SHA256
12649c82e1a2ca50636c77682c1e030c52b7db454ba0cb5d1e4f01fdc41b0a66

SHA512
df0dfdcb90ad8727be62a133182e63c8f2c31b45ae40fc529e35d7ca2363833e516480a1d06eaf62c515147060326a9c365ccbfbda2e3df08354e805ddd61b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
094bc562a1c53a14a22181ce04424437

SHA1
6ae1837c822a48902d18be675315953d33e77587

SHA256
637105c76a6ce8b86cdf0314613f4efccb0007e124908c8137c59a6ff9b935eb

SHA512
73dae02965dfe3bd5e64be993b887d5825a90acfbfe8a48027fe25004cad53b8f77ff152ebe19dfb53b60ca0737f68abcd82e94f4a9d769370a9fefca87ca634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
32b1abf91a63867c86278261f5140b87

SHA1
c7c87d50d4483696f5c244a9276273e930cf13ac

SHA256
80fdc54fc83cc877c186cda0d237490e6f92497bf74f3856869f90d44bbca5d4

SHA512
c5340a5bc2bfa40b4821615e8e1be801213bc6a40c01a745167a8d5135f4d0698844cf908a0b1ff06a3fc47a2f9392daeeb4dfca2141eece04720ad9d8b079da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e0e5b77b26bd4a15a9e06586c5e459e5

SHA1
42cd878c31e33f4a54c4de8d05b47741933b3af8

SHA256
c6912497d9bc16a926a39faa2bd57ba1e506b6ddd61676f489bd7bd1fb1d71c2

SHA512
d93a5c3a49546a67792fe5e661a9ccc76349422c4ca91afdcf62d33552d7bba60d7efc1f3613223c04af251289fbd89ace03a6b6be8b641e72ffc9f26a7b2959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d32710468ef00d87f02210c45c9704ca

SHA1
f6f1635d434bb9152d0a3a25a326c39b7ed69165

SHA256
70b896c8224bbb28742f3ea2993b2914e549145f901ada5535b69c9ae40d6cbc

SHA512
0a0dbb4b1c8ec5759b0f7ec33bcb5cc39bb20c38d9703a7257bf3912c47374c36cea0477e329d7f15b6705664c2313288c6b4ff4673438b8da023dd0164e55c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
001ece0f711080b786e964fb118c2e06

SHA1
5dc3b1d3b31b88981b50e2c7d1402a2c675a4c90

SHA256
6ed58fe3a1a7d69f11ebb27948a384b3fa5cdb9b9fbe3d3bd366577d7fa1aaf5

SHA512
ee1ef2798e157143013c9722022461aef701782f4b9a69e37fba0940e71a6fe48dae7fc3651b4007a0854afaa53881dfe0b57f0f4bb306874909c3db8df30ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579dd6.TMP
Filesize
372B

MD5
fc33ce5b52fb223f9f2f0f59f67bb224

SHA1
22cc4756d3597d8283c43c5dd74937a78420ed29

SHA256
6193084a7acae0dbc8ed5d198d3d87e7843a0465f693234af975821c4fe55eec

SHA512
02b68f062a69ea1cab46389715eb9c13a41c8a31fdeb579c2c26a06d23fd2b49dbbebdce29f831b1951f267db3c4aeeb49e1735c5f97301264b2ad90dd566315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ad083e86-af8e-47d0-89f8-1778fc7432f8.tmp
Filesize
1KB

MD5
286b06fe094d0d6f271d00ed91416b71

SHA1
d0c36c41cd880cec986435ad6db5f7afaf9b6b10

SHA256
47f270ea3ddb4c7fd15c8a69a1febc28dfeaaef8511fd41032ef777922e67107

SHA512
4aa3c4d582a6504377f732b2ef5abf084dc4ed19cdf76f8f983415afc140d877c3fa4ac93e547484d3fb656e85394f3cdd8f97ef725b455355bfb1c36be22b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b12beee10b5af3149d2f2048ead33b17

SHA1
5a6f279968b8ffdf0f1e316b7365c8a4f7607922

SHA256
3e3877e6f3fac5ebe44ff7d06d71f0920873e1040be1cc648d9a09c728c3765e

SHA512
3cd85e5beb9e617c02808ecf514000e13d7196b577e29251b353c2c11ed9639023165bc18bc8a5d9f4e4a8baaf6a0a32648d7d785b13649be21823d6e5811052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
08936b6b40689c25fd5f5a646fba5556

SHA1
c994502edb85e5d28478b7564171fff28f33011b

SHA256
811e2866135c646a9cf55a9c726e9b70eccd73ce69c9bdee3dfadfed6b1d194b

SHA512
74f497438e16b93b39cf9709646f10b07f277c7563402dabed17377796c2afb4603427f49896443b2159d05e81463df0b5e2e1a31ef3f2c1468d46fcaae8856f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9a592181964a568d312018d0a2701420

SHA1
47a7ec7cc9c70adfe19e05f8ba7b2606d40ce91b

SHA256
02225d01f1e564b5c08f2aba98e0aee7a89e7f11223bab4b7569fb0fed534dc2

SHA512
af34774bdded7fbbcd6ef3c8b0340bacc27f3426f82ba3e8d53c9f2ab7d3796b5414a9868ef37947282deb9d43c51b3d6065826af442a18bde56a48aecb91e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
6911da9a5ff3c34f36c0fdd95b3f7b41

SHA1
9acbe847aa3d11067d590aa0efa26c715a295f30

SHA256
f70fb8fbec91edd24d865052f7e236406c85f4108547e19a7f623cec2d4b10c2

SHA512
64fb5ed50093af1b44aca0daae63e32255c0b89fcc4ff28a642696ee2e4d0ec96a2de4306055bc138568d8dc5c3e9cbd7ef0d3e3f32050c1fe64014320774831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
83c9fcd8dc578690af48619001857690

SHA1
f8c6d15574417f1d9878e73de8fe1fdd5eaaa052

SHA256
e5aef79acdfa977c34604d9bdc1121b86bf5acd55414d603409e6072a233773f

SHA512
46f18599808838e850dda3bd3ad30ba582642811b69e2338cdd87d7650d1cff1c9293291d5125a78d362ebfd831a74ed58b248c7771337bcad24c13e6a30f6f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
49fc7ce04d4cd975bc37e863cf193188

SHA1
8c1478bdc0db49c6ab63765ec6fd7d5697ac4003

SHA256
aade0c474afee3a6777987e1c2687c2f32922ac3ae5005b205e811f2018aac69

SHA512
f5ed42aefc49d6e634d9c78881878479b726f03caf169ab9b9ae0fc62a0b15c9882a06511f0efa9ac4c9fe2543fb5029262bb6abaca0879f59a710c3f7a28b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
f5408645d95afc2f62146ef2d6814654

SHA1
d33a3b861b6464187b40f4c502521b8fcb24ece7

SHA256
9c398d11e424050361dd27cb8a5b2e3b8cb7c94f8c880c6924c001b934abc439

SHA512
233832da4f62c2be67c8b3628ab7f45b8e5e8e8dfdf78ae52fb9884e6816ca409404cab01e7e8b241350ab6c66f0eadb8c4c6baf2ca63e3f26bd9a444667b136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
f55456d48c1127fbf587a703a7759584

SHA1
259815dc23dcc65395249ced0ad6fcf2622e17d1

SHA256
57f50db85a10445a64f7683eb0f29c58b728fc3aa7f8a6ba67ff743bcc5a2615

SHA512
e974c31c48851624b0f6695b2b59b9ba34aad5cc36b9d0d2f901dc88a7b0a231e890661061520fc1f60190bb9ab32046ea513281b813721865ed702d42f44f37

Download Submit
C:\Users\Admin\Downloads\Melting.exe
Filesize
12KB

MD5
833619a4c9e8c808f092bf477af62618

SHA1
b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

SHA256
92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

SHA512
4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 274581.crdownload
Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 460124.crdownload
Filesize
291KB

MD5
e6b43b1028b6000009253344632e69c4

SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c

SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 524094.crdownload
Filesize
3.0MB

MD5
b6d61b516d41e209b207b41d91e3b90d

SHA1
e50d4b7bf005075cb63d6bd9ad48c92a00ee9444

SHA256
3d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe

SHA512
3217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 705560.crdownload
Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 775343.crdownload
Filesize
197KB

MD5
7506eb94c661522aff09a5c96d6f182b

SHA1
329bbdb1f877942d55b53b1d48db56a458eb2310

SHA256
d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c

SHA512
d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 775343.crdownload:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 990509.crdownload
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\SVWJHE-MANUAL.txt
Filesize
8KB

MD5
d1678762036bba53f5d60d11bc6b4265

SHA1
2be96f4544e8b7a17ca2e97ea229f63088ac2566

SHA256
8492e1a770429bfdfcfa05dcf06203a23731057c2acde3b8534b220e72cf4681

SHA512
88a977c04593e0240a7484301eb4af4398340ab155d853a605068811cc5bbe7c72a3274a627ff5ebaff6805062f8fe292bf92863710fca80a66d347c3c2ef49c

Download Submit
\??\pipe\LOCAL\crashpad_1476_XISBVMNIXXHSVNHW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/540-1370-0x0000000000400000-0x00000000052B3000-memory.dmp

Filesize
78.7MB

Download
memory/540-1359-0x0000000000400000-0x00000000052B3000-memory.dmp

Filesize
78.7MB

Download
memory/1508-1736-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1820-1837-0x000000001CBD0000-0x000000001CC1C000-memory.dmp

Filesize
304KB

Download
memory/1820-1836-0x0000000001720000-0x0000000001728000-memory.dmp

Filesize
32KB

Download
memory/1820-1835-0x000000001C970000-0x000000001CA0C000-memory.dmp

Filesize
624KB

Download
memory/1820-1834-0x000000001C3A0000-0x000000001C86E000-memory.dmp

Filesize
4.8MB

Download
memory/1820-1833-0x000000001BE20000-0x000000001BEC6000-memory.dmp

Filesize
664KB

Download
memory/1984-1469-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1984-1468-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3380-1452-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3380-1441-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3380-1442-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4068-1658-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/4068-1659-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/4068-1660-0x0000000004A10000-0x0000000004AA2000-memory.dmp

Filesize
584KB

Download
memory/4068-1661-0x0000000004AE0000-0x0000000004AEA000-memory.dmp

Filesize
40KB

Download
memory/4356-1358-0x0000000000400000-0x00000000052B3000-memory.dmp

Filesize
78.7MB

Download
memory/4776-602-0x0000000001000000-0x0000000001025000-memory.dmp

Filesize
148KB

Download
memory/4776-585-0x0000000001000000-0x0000000001025000-memory.dmp

Filesize
148KB

Download
memory/5436-1435-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1524-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1433-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1737-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1739-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1749-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1678-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1771-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1662-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1434-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1625-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1809-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1465-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1606-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1437-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1587-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1542-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1717-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1464-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1860-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1942-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1505-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1906-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1917-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1472-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1928-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1930-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1932-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1934-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1936-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1938-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5436-1940-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5440-589-0x0000000000D90000-0x0000000000DB5000-memory.dmp

Filesize
148KB

Download